This has been a busy fortnight for Microsoft Windows users, with the release of 24H2, the resurrection of Recall, the shutdown of yet another Windows 11 upgrade workaround and the latest blue screen of death debacle. All too easy then for users to forget the update deadline ticking away in the background—now just 72-hours away, to protect against a “critical vulnerability” that’s come under attack.
We’re talking CVE-2024-43461, which came as a nasty sting in the tail to Microsoft’s September security update, echoing a similar alert back in July, and prompting the U.S. government’s cybersecurity agency to add to its Known Exploited Vulnerabilities (KEV) catalog. “Microsoft Windows MSHTML Platform contains a user interface (UI) misrepresentation of critical information vulnerability that allows an attacker to spoof a web page,” CISA warns, adding that “this vulnerability was exploited in conjunction with CVE-2024-38112.”
CISA’s Windows update mandate is set for October 7, with its usual instructions that users need to “apply mitigations” by that date “or discontinue use of the product if mitigations are unavailable.” That is mandatory for federal employees, but many other public and private organizations follow CISA’s suit, and its remit is “to help every organization better manage vulnerabilities and keep pace with threat activity,” especially where those organizations operate in high-profile sectors.
Security tensions are heightened at the moment, with the Crowd Strike experience fresh in minds and the situations in the Middle East and Eastern Europe raising alert levels and the prospect of offensive cyber activity targeting critical infrastructure.
I reported on CVE-2024-38112 in July, at which time Check Point explained that attackers had been manipulating “special Windows Internet Shortcut files” to open malicious URLs with the long-dead but still under the Windows covers Internet Explorer, instead of Edge or Chrome. “The attacker gains significant advantages in exploiting the victim’s computer,” they warned, even with a “computer running the modern Windows 10/11 operating system.”
Trend Micro’s ZDI flagged the latest of the two CVEs, reporting that it “allows remote attackers to execute arbitrary code on affected installations of Microsoft Windows,” with users a lured into visiting a rogue webpage crafted to execute the attack.
These two vulnerabilities have been exploited as a twofer, and patching the first also resolves the second. But in the world of stubborn resistance to Windows 11, with almost a billion users still holding out, it’s far from certain that PCs have been updated since that first warning. If that’s the case, they are at risk. As for those resisting Windows 11, this is a good example of why coming off support is such a bad idea, and why whichever option you choose, doing nothing is the wrong one.